NEWRead
Trust · GDPR

GDPR-ready. EU + Swiss compliant.

CodeCourier processes personal data under the GDPR and the revised Swiss FADP. Exercise any of your eight data subject rights at any time - we respond within 30 days as required by Article 12(3).

Exercise your rightsRequest DPA
subject rights · GDPRHonored
Art. 15
Access
Art. 16
Rectification
Art. 17
Erasure
Art. 18
Restriction
Art. 20
Portability
Art. 21
Object
Art. 22
Automated
Art. 7(3)
Withdrawal
CODECOURIER
data subject
At a glance

The shape of our privacy programme.

A precise summary of the regimes we comply with, the rights we honour and the vendors we audit - before you dive into the detail.

Adequacy: Switzerland ↔ EU

Switzerland is recognised as adequate under GDPR Article 45. We also comply with the revised Swiss FADP, in force since September 2023.

Lawful bases: 6

We rely on consent, contract, legal obligation, vital interests, public task and legitimate interests - each documented and proportionate to the purpose.

Subject rights: 8

All rights under Articles 15–22 are honoured by a single inbox. Withdrawal of consent under Article 7(3) is just as easy as granting it.

Subprocessors: documented

Every subprocessor is contractually bound under Article 28 and listed on request. Material additions are notified 30 days in advance.

Roles

Controller or Processor - depending on the data.

Under the GDPR, the same company can be a controller for some data and a processor for others. Here is exactly where CodeCourier falls for each category.

We're a CONTROLLER for…

  • Marketing leads collected via forms, demos and content downloads.
  • Account signup, billing data and invoicing records.
  • Customer support inquiries and the metadata of our communications.
  • Aggregated, de-identified product analytics used to operate the service.

We're a PROCESSOR for…

  • Customer-uploaded source code and repository contents.
  • Agent run logs, traces and tool-call outputs created on your behalf.
  • Sandbox file artifacts produced during agent runs.
  • Project contexts, personas and team configurations you author.
  • Learnings and embeddings derived from your private corpus.

Our Data Processing Addendum (DPA) governs the processor relationship - request it via the CTA above.

Lawful bases

Six bases. Each one used on purpose.

Every processing activity is mapped to one of the six lawful bases listed in Article 6 - and only that basis. We do not stack bases to keep options open.

Art. 6(1)(a)

Consent

Used for non-essential marketing emails, analytics cookies and any optional personalisation. Always granular, always revocable in one click.

Art. 6(1)(b)

Contract

Used to deliver the service you signed up for: provisioning sandboxes, running agents, storing your project context and producing invoices.

Art. 6(1)(c)

Legal obligation

Used to retain accounting and tax records under Swiss commercial law, to respond to lawful requests and to honour data subject rights.

Art. 6(1)(d)

Vital interests

Reserved for life-or-safety situations - we do not actively rely on this basis, but it remains available if an emergency requires acting on personal data.

Art. 6(1)(e)

Public task

Not used. We are a private commercial operator and do not perform tasks carried out in the public interest or under official authority.

Art. 6(1)(f)

Legitimate interests

Used narrowly for fraud prevention, service security, abuse detection and minimal product telemetry - always after a balancing test against your rights.

Your rights

Eight rights. One inbox.

You do not need a form, a portal or a lawyer. Send a single email and we route the request to the right team and respond within the statutory deadline.

Art. 15

Right of access

You may obtain confirmation of whether we process your personal data, a copy of that data and information about purposes, categories and recipients.

How to exercise
Art. 16

Right to rectification

You may have inaccurate personal data corrected without undue delay and have incomplete data completed, including by providing a supplementary statement.

How to exercise
Art. 17

Right to erasure

Also known as the right to be forgotten. We delete personal data where one of the statutory grounds applies, subject to retention duties we must respect.

How to exercise
Art. 18

Right to restriction

You may require us to limit processing in specific circumstances - for example while we verify an accuracy challenge or during a balancing test for objections.

How to exercise
Art. 20

Right to portability

Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, machine-readable format.

How to exercise
Art. 21

Right to object

You may object at any time to processing based on legitimate interests or to direct marketing, after which we stop unless we can demonstrate compelling grounds.

How to exercise
Art. 22

Automated decision-making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects without meaningful human review.

How to exercise
Art. 7(3)

Withdrawal of consent

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal.

How to exercise

We respond within 30 days as required by Article 12(3). If a request is complex we may extend by up to two further months, with reasons - you'll hear from us within the first 30 days regardless.

Transfers

How data moves across borders.

Personal data leaves an EU/EEA jurisdiction only when there is a valid transfer mechanism - and we document which one applies for each destination.

Switzerland benefits from a European Commission adequacy decision under GDPR Article 45, so transfers between the EU/EEA and Switzerland do not require additional safeguards. Post-Schrems II, we treat every onward transfer with the same diligence.

For transfers to jurisdictions without an adequacy decision we use the 2021 Standard Contractual Clauses (SCCs) as our default safeguard, combined with the Swiss FADP supplement where the data is subject to Swiss law in parallel.

Where the destination country's surveillance laws warrant it, we run a Transfer Impact Assessment and apply supplementary measures - typically encryption controlled by the controller and contractual transparency commitments.

transfer · flow
EU / EEA
Adequacy decision · Art. 45
Switzerland
Adequacy decision · Art. 45
Other regions
2021 SCCs + TIA where required
Residency

Pick where your data lives.

Customer data is stored in regional clusters. EU and Swiss residency are available today; additional regions are on the roadmap and can be enabled on request.

Available

EU (Frankfurt)

Primary region for EU customers. All processing and backups stay within the EU/EEA boundary.

Available

Switzerland (Zurich)

Swiss residency for FADP-sensitive customers. Adequate with the EU under Article 45.

Roadmap

United States (Virginia)

Planned for customers requiring US residency. Will ship with 2021 SCCs and a Transfer Impact Assessment.

Roadmap

Other regions on request

We can scope regional clusters in UK, APAC or LATAM for enterprise contracts - talk to us about your residency needs.

Subprocessors

Documented, audited, notified.

We rely on a small set of subprocessors - cloud infrastructure, model providers and operational tools - each bound by an Article 28 processing contract and reviewed annually for security and privacy posture.

The full subprocessor list, including categories, locations and transfer mechanisms, is available on request and is republished in our DPA.

Request subprocessor list30-day notice before adding new subprocessors
Art. 32 measures

Technical & organisational measures.

Article 32 requires security appropriate to the risk. These are the measures we apply across our processing activities - explained in plain language.

Encryption

TLS 1.2+ for data in transit and AES-256 for data at rest. Keys are managed by the cloud provider's KMS with rotation and audit logging enabled.

Pseudonymisation

Internal analytics, telemetry and ML workflows operate on pseudonymous identifiers wherever the purpose does not require attributable data.

Access controls (RBAC)

Role-based access with least privilege, SSO for staff, mandatory MFA and quarterly access reviews. Production access is logged and time-bound.

Resilience & backups

Encrypted, geo-redundant backups with documented RTO/RPO targets and routine restore drills to confirm recovery actually works.

Incident response

A documented playbook with severity tiers, on-call rotation and a 72-hour breach notification target aligned with GDPR Article 33.

Regular testing

Continuous dependency scanning, periodic application penetration tests and tabletop exercises that probe both technical and organisational controls.

Full security details
Contact

Data protection contact.

Controller
CodeCourier
Representative
Nico Jaroszewski
Address
Schlosstalstrasse 202, 8408 Winterthur, Switzerland
Email
info@codecourier.dev

EU representative under Art. 27: Not required at present. CodeCourier is established in Switzerland and does not regularly process EU resident data outside the contractual scope. A representative will be appointed if the criteria of Article 27 are met. A formal Data Protection Officer (Art. 37) is not designated unless processing scale or sensitivity requires it.

Email data protection
FAQ

Questions, answered honestly.

How long do you retain customer data?
We retain customer data for as long as your account is active and for a short residual period afterwards to support invoicing, dispute resolution and legal obligations. Specific retention periods per data category are documented in our DPA, and you can request earlier deletion under Article 17.
Can I get my data exported?
Yes. You can self-serve an export of your active project data from inside the product, and you may also request a structured machine-readable export under Article 20 by emailing us. We respond within 30 days and deliver the package over an authenticated channel.
Do you train models on customer code?
No. Customer-uploaded code and agent run data are not used to train our or any third party's foundation models. We only fine-tune or embed within the boundary of your own workspace, and only for the purpose of serving your agents.
What happens to data when I cancel?
Active project data is purged within 30 days of cancellation, except where law requires longer retention of specific records (typically billing and tax). Backups age out on their normal lifecycle and are encrypted at rest until they expire.
Do you transfer data to the US?
Only where strictly necessary to operate the service - for example a small set of operational tools and model providers. Such transfers are covered by the 2021 Standard Contractual Clauses, supported by a Transfer Impact Assessment where appropriate, and listed in our subprocessor inventory.
How do I file a complaint with my supervisory authority?
You always have the right to lodge a complaint with the data protection authority in your country of residence (the EDPB maintains a directory of national DPAs in the EU/EEA). For Swiss residents the competent authority is the FDPIC. We would, however, appreciate the opportunity to address your concern first.
Privacy at CodeCourier

Questions about how we handle your data?

Security pageContact privacy team
Free for 14 days · no credit card

Hire your first AI engineer.
Ship by lunchtime.

5 minutes to onboard. First PR within an hour. Cancel anytime.

Deploy your first agentBook a 20-min demo